See if your information has been exposed in a data breach with our latest free tool Check Now
Industry news

GOV ALERT: Queensland finance teams targeted

Shanna Hall
4 Min

On 26 March, the Queensland Government Cyber Defence Centre (CDC) issued a warning about known business email compromise (BEC) campaigns targeting public sector organisations within Queensland. 

Queensland finance teams should be on high alert toward emails or phone calls purporting to be from vendors. Pay extra attention to all email addresses and domain names – the QLD CDC has issued a list of red-flag domain names, although Eftsure has also caught attempted frauds using other domain names that do not appear on this list. 

What red flags should teams look out for? 

The attempts follow a similar pattern, using both phone and email to manipulate finance and accounts teams into making fraudulent payments into attacker-controlled bank accounts. 

Look closely at email addresses and domain names. Threat actors are using legitimate vendors’ names and email structures by registering a new ‘.com’ domain name, followed by a ‘pty,’ ‘ltd,’ or ‘ptyltd’ suffix. The actors then create an MX record, or mail exchange record, which essentially points to the IP addresses of a mail server’s domain and allows email communication with the target.

Indicators to watch out for

  • Domains
    • downerptyltd[.]com
    • downerltd[.]com
    • downergroupptyltd[.]com
    • jjswastepty[.]com
    • jjrichardspty[.]com
    • veoliapty[.]com
    • mottmacpty[.]com
    • zttcablepty[.]com
    • cleanawayptyltd[.]com
    • cleanawaypty[.]com
    • accionapty[.]com
    • uglregionallinxpty[.]com
  • Email Addresses
    • accounts.receivable[@]jjwastepty[.]com
    • accounts.nswvicqld.pt[@]veoliapty[.]com

Note that these are just the technical indicators circulated by the QLD CDC. Other domains and email addresses are easy and cheap for threat actors to create, so don’t assume a contact is safe just because the domain doesn’t appear on this list. 

Malicious actors have most likely researched the relationships and email address structures used between government entities and their vendors, strengthening their social engineering attempts – that is, psychological manipulation that relies on deception or impersonation. 

What do these fraud attempts usually look like?

Threat actors will email finance or account teams from the bogus email address asking to confirm vendor contact details or some other small communication to build rapport. They may also ask for past financial statements, invoices or remittance advice, which they’ll later use to circumvent fraud or security checks when updating their payment information. 

That step is one of the most critical – after a bit of emailing, calling and asking for certain data or documentation, the “vendor” will try to amend payment information for the legitimate vendor, switching the details to those of bank accounts they control. 

Initial contact made by the threat actor from the impersonated email address is often benign, attempting to only build rapport with an end-user by confirming the vendor contact details.

How to protect your organisation

  • Ensure all finance and accounts payable employees are aware of the ongoing attempts and know which red flags to consider
  • Double-check processes and control procedures that enable secure payment information updates for legitimate vendors
  • Assess your security policy around email gateways for emails from newly registered domains
  • Search your email gateway and environment for the known technical indicators indicated above
  • For QLD government organisations that have been impacted (or fear they may have been impacted), contact QGISVRT immediately via qgisvrt@qld.gov.au or 07 3215 3951

These steps can help you secure your organisation in the short term. In the longer term, you’ll want to consider broader steps that can help pre-empt attacks like BECs – after all, even if government agencies act quickly, it’s not always possible to warn organisations about these sorts of threat actors ahead of time. 

Generally, take a look at these three main areas. 

  • People. Finance and AP teams are often not taught to recognise sophisticated cybercrime tactics, especially since these tactics are constantly evolving and leveraging new technologies. Periodic, tailored awareness programs and training are necessary to keep staff aware and alert. 
  • Processes. Your financial control procedures are often the last line of defence against fraud attempts and cybercrime. Even if an employee slips up or makes a mistake, these processes should act as a final guardrail to keep your money out of fraudsters’ accounts. Think about pressure-testing your existing processes to see where there may be gaps or vulnerabilities. 
  • Technology. As part of your processes and control procedures, consider which steps can be automated or centralised, reducing risk of employee error or processes not being followed. 

Want to know more? Read more about business email compromise (BEC) attacks and how they work.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.